NNSquad - Network Neutrality Squad
[ NNSquad ] Re: [Vint Cerf]: Re: Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS"
[ The government has repeatedly and largely unapologetically blocked innocent sites (and foreign sites arguably not under U.S. jurisdiction) in the course of implementing court-approved blocks. This means that any error conditions related to this situation must be viewed in terms of their impact on innocent and potentially innocent sites as well as on legally targeted sites. Even "guilty" sites (as per government claims) -- and especially innocent sites -- deserve to have their users properly notified of government actions. Various artificially induced error conditions are not an acceptable substitute for court-ordered blocking-related notifications to users. Also, given the fact that "unauthorized" wiretaps are an unfortunate fact of life in this country, they also are of interest in any associated analysis. -- Lauren Weinstein NNSquad Moderator ] Vint Cerf: > "George's argument seems flawed to me. Suppose you have a site that is NOT > illegal but a government wants to suppress it or even re-direct to a > counterfeit site." As Richard pointed out, this is irrelevant to the discussion since the Protect IP Act only authorizes filtering of sites that are primarily dedicated to selling counterfeit goods. Vint Cerf: > "Without DNSSEC, such re-direction is possible without > detection. With DNSSEC one of two things might happen: > 1. the site looks invalid because the DNSSEC check fails in which case > counterfeiting the site doesn't work. that's the good case I suppose except > that the government "wins" since it suppresses access to the site for those > relying on DNSSEC" If a web browser queries a newly visited website (one deemed illegal by the courts) for both DNS and DNSSEC, the DNS reply will be redirected to a takedown notification. There would be no DNSSEC response as the redirector (in this case the ISP) wouldn't have the ability to cryptographically sign DNSSEC responses. In this scenario, the use of DNS filtering required by the Protect IP Act would deny service to the entire website secured by DNSSEC or not. It does not affect legal websites not deemed illegal by the courts which means DNS filtering poses no risk to legally valid uses of DNSSEC. If a web browser queries a site whose known security profile is DNSSEC-only, then the redirection of DNS would fail in addition to the lack of a valid DNSSEC response. Even if the mandated redirection failed, a key objective of the law is still fulfilled which is to impede the counterfeit website. Again in this scenario, there is no risk to legal websites. Vint Cerf: > 2. the government produces a false but signed entry that passes the DNSSEC > check (wouldn't that mean that it had falsified a certificate containing the > public key of that domain name?) in which case the government succeeds in > re-directing even a DNSSEC-checking user." What you are talking about here would be a wire tap and the Protect IP Act would not authorize wire tapping. Therefore this is not a valid concern with regard to the Protect IP Act. Vint Cerf: > Of course, if you ignore DNSSEC and accept whatever comes back as the IP > address, you will be fooled (or denied access to the real site). This would be a flagrantly negligent implementation of DNSSEC. A DNSSEC implementation is only secure if it enforces the authentication checks. This has nothing to do with the DNS filtering aspect of the Protect IP Act. George Ou -----Original Message----- From: Richard Bennett [mailto:richard@bennett.com] Sent: Monday, July 18, 2011 1:33 PM To: nnsquad@nnsquad.org; Vint Cerf; George Ou Subject: Re: [ NNSquad ] [Vint Cerf]: Re: Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS" Unlike the government action in Vint's hypothetical, PROTECT IP is not about censorship of unpopular opinions. Rather, the goal of PROTECT IP is to block access to sites that sell unlicensed movies, so faking out the user who would otherwise purchase from an unauthorized seller is not in the cards. So George's point stands that PROTECT-IP accomplishes the goal and does not "break" DNSSEC. RB On 7/18/2011 10:44 AM, Lauren Weinstein wrote: > Forwarded with Vint's permission. > > --Lauren-- > > > ----- Forwarded message from Vint Cerf<vint@google.com> ----- > > > On Sun, Jul 17, 2011 at 11:59 PM, Lauren Weinstein<lauren@vortex.com>wrote: > >> Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS" >> >> http://j.mp/qHnkDB (ISC) >> >> "Nevertheless the raw uncomfortable truth of the matter is that any >> form of mandated "DNS blocking'' whose goal is to make certain domain >> names unreachable will be indistinguishable from the result of a >> Secure DNS failure - and a failure is a failure is a failure." >> >> - - - >> >> It should be noted that the MPAA's response on these issues is the >> assertion that most >> users are too stupid to understand how to change their DNS (presumably even >> after >> being given step by step instructions) and that not permitting content >> owners to >> manipulate the DNS to protect their profit centers would amount to allowing >> the >> Internet to "decay into a lawless Wild West." >> >> --Lauren-- >> Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren >> Co-Founder: People For Internet Responsibility: http://www.pfir.org >> Founder: >> - Network Neutrality Squad: http://www.nnsquad.org >> - Global Coalition for Transparent Internet Performance: >> http://www.gctip.org >> - PRIVACY Forum: http://www.vortex.com >> Member: ACM Committee on Computers and Public Policy >> Blog: http://lauren.vortex.com >> Google+: http://vortex.com/g+lauren >> Twitter: https://twitter.com/laurenweinstein >> Tel: +1 (818) 225-2800 / Skype: vortex.com >> >> >> > ----- End forwarded message ----- -- Richard Bennett